Choose between Azure AD Connect and Azure AD Connect Cloud Sync
My last blog on Azure Ad Connect Cloud Sync raised some thoughts about supported features. And yes, there is lack of support for some popular features used by Azure AD Connect like Hybrid Azure AD Join and Exchange Hybrid. If you are dependent of these features today, you need to keep Azure AD Connect. But also keep in mind, the roadmap is to replace Azure AD Connect with Azure AD Cloud Sync, so start testing and preparing for it.
There are some features still missing on Azure AD Connect Cloud Sync. So not all organizations can implement this yet.
| Feature | Azure Active Directory Connect sync | Azure Active Directory Connect cloud sync |
|---|---|---|
| Connect to single on-premises AD forest | ● | ● |
| Connect to multiple on-premises AD forests | ● | ● |
| Connect to multiple disconnected on-premises AD forests | ● | |
| Lightweight agent installation model | ● | |
| Multiple active agents for high availability | ● | |
| Connect to LDAP directories | ● | |
| Support for user objects | ● | ● |
| Support for group objects | ● | ● |
| Support for contact objects | ● | ● |
| Support for device objects | ● | |
| Allow basic customization for attribute flows | ● | ● |
| Synchronize Exchange online attributes | ● | ● |
| Synchronize extension attributes 1-15 | ● | ● |
| Synchronize customer defined AD attributes (directory extensions) | ● | |
| Support for Password Hash Sync | ● | ● |
| Support for Pass-Through Authentication | ● | |
| Support for federation | ● | ● |
| Seamless Single Sign-on | ● | ● |
| Supports installation on a Domain Controller | ● | ● |
| Support for Windows Server 2016 | ● | ● |
| Filter on Domains/OUs/groups | ● | ● |
| Filter on objects’ attribute values | ● | |
| Allow minimal set of attributes to be synchronized (MinSync) | ● | ● |
| Allow removing attributes from flowing from AD to Azure AD | ● | ● |
| Allow advanced customization for attribute flows | ● | |
| Support for password writeback | ● | ● |
| Support for device writeback | ● | |
| Support for group writeback | ● | |
| Support for merging user attributes from multiple domains | ● | |
| Azure AD Domain Services support | ● | |
| Exchange hybrid writeback | ● | |
| Unlimited number of objects per AD domain | ● | |
| Support for up to 150,000 objects per AD domain | ● | ● |
| Groups with up to 50,000 members | ● | ● |
| Large groups with up to 250,000 members | ● | |
| Cross domain references | ● | ● |
| On-demand provisioning | ● | ● |
| Support for US Government | ● | ● |
Also, Installing Agent on Server Core is not supported.
If you need further help to choose the right sync tool for your organization. There is a simple wizard at:
https://admin.microsoft.com/adminportal/home?Q=setupguidance#/modernonboarding/identitywizard
Click on the button Check Sync Tool
You will be presented with a list of questions on your feature needs for your sync tool:
If you select any of the last 7 questions the recommended sync tool will be the old Azure AD Connect.
So, the Azure AD Connect Cloud Sync does not support Custom and Extension Attributes, Device sync, Exchange Hybrid, Linked Mailboxes and Attribute or OU filters. And there is a limit of 250.000 objects.
But this is only a problem if you see it as a problem. Think new, think fresh!
Do we really need Hybrid Azure AD Join?
You need to ask yourself: Is Hybrid Azure AD Join really a requirement?
Most organizations today can use Cloud Native PC´s. Computers joined only to Azure AD. This is a slow but upgoing trend. I am often met with skepticism when I suggest this. But most on-premises systems today actually works great with both local joined and cloud joined computers. There are even some benefits of using cloud native PC´s:
- You can log-on with both Local AD Synced accounts and Cloud AAD Accounts
- If you change user account password, you no longer need to connect your computer to LAN or VPN to get the cashed credentials updated.
- Modern way of joining and managing devices with no on-premises dependencies
- Deployment can be done from any location
You need of course to test this out and see if it works in your environment. And if you run into problems, don’t just give up! Think new, think fresh! Can we solve the problem by modernize the service that failed? Can it be published by Azure AD Proxy, etc.
Do we need Exchange Hybrid and Linked Mailboxes?
This is probably a bigger problem. Many organizations tend to keep some of their email inhouse. This is often due to cost optimizations. But also, this can be solved of course. The cost of managing and maintaining the on-premises Exchange Organization is probably more expensive if you include all the aspects. So, let’s move those last mailboxes up to Exchange online and decommission the exchange organisation.
When it comes to linked mailboxes in resource forests, this is a tricky one! You need to use Azure AD Connect during migration. When all mailboxes are in cloud you can convert to Azure Ad Connect Cloud Sync.
Do we need Custom and Extension Attribute sync?
If you say yes, then you’re probably stuck with Azure AD Connect until it´s supported. I have many customers using custom attribute sync for management and automation. Azure AD and Ms Graph is quite limited in the number of default attributes. So, if you need something of your own, you are dependent of custom attributes. In Azure AD Connect CloudSync you have the posibility to map the existing attributes in the sync. So, you might be able to get this to work without your custom attributes. I try to recommend using the defaults as long as it´s possible.
Do we need to filter on attribute of OU?
To filter on OU is actually working also in Azure AD Connect Cloud Sync. when setting upp the sync you are presented with the following filter possibilities:
But heads up, you cannot exclude OU´s. Only Include, and when you include, all child OU´s will also be included.
Filter on attributes is not possible. So, if this is a requirement, Azure AD Connect is the tool for you.
More FAQ on Azure Ad Cloud Sync can be found here
About The Author
